From d5285a3fd23d1fc3c36b26a90bf6d36b8245bc29 Mon Sep 17 00:00:00 2001
From: jtbx <ccc@jtbx.de>
Date: Thu, 6 Jul 2023 22:14:08 +0200
Subject: [PATCH] deploy an engelsystem named AES

---
 inventories/z9/host_vars/engelsystem.yaml     | 14 ++++++
 inventories/z9/hosts.yaml                     |  3 ++
 playbooks/deploy_engelsystem.yaml             | 20 ++++++++
 .../files/configs/engelsystem/compose.yaml    | 49 +++++++++++++++++++
 .../engelsystem/nginx/aes.ccchh.net.conf      | 42 ++++++++++++++++
 .../public-reverse-proxy/nginx/nginx.conf     |  1 +
 6 files changed, 129 insertions(+)
 create mode 100644 inventories/z9/host_vars/engelsystem.yaml
 create mode 100644 playbooks/deploy_engelsystem.yaml
 create mode 100644 playbooks/files/configs/engelsystem/compose.yaml
 create mode 100644 playbooks/files/configs/engelsystem/nginx/aes.ccchh.net.conf

diff --git a/inventories/z9/host_vars/engelsystem.yaml b/inventories/z9/host_vars/engelsystem.yaml
new file mode 100644
index 0000000..d7e3209
--- /dev/null
+++ b/inventories/z9/host_vars/engelsystem.yaml
@@ -0,0 +1,14 @@
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'configs/engelsystem/compose.yaml') }}"
+docker_compose__configuration_files: []
+
+cert__acme_account_email: j+letsencrypt-ccchh@jsts.xyz
+cert__domains:
+  - "aes.ccchh.net"
+cert__bind_9_host: authoritative-dns
+cert__bind_9_zone: ccchh.net
+
+nginx__version_spec: ""
+nginx__deploy_redirect_conf: true
+nginx__configurations:
+  - name: aes.ccchh.net
+    content: "{{ lookup('ansible.builtin.file', 'configs/engelsystem/nginx/aes.ccchh.net.conf') }}"
diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml
index 8b390e0..332520b 100644
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@@ -34,3 +34,6 @@ all:
         mailserver-endpoint:
           ansible_host: mailserver-endpoint.ccchh.net
           ansible_user: chaos
+        engelsystem:
+          ansible_host: engelsystem.z9.ccchh.net
+          ansible_user: chaos
diff --git a/playbooks/deploy_engelsystem.yaml b/playbooks/deploy_engelsystem.yaml
new file mode 100644
index 0000000..f8442ca
--- /dev/null
+++ b/playbooks/deploy_engelsystem.yaml
@@ -0,0 +1,20 @@
+---
+- name: Configure engelsystem.z9 with engelsystem
+  hosts: engelsystem
+  roles:
+    - nginx
+    - cert
+    - docker
+    - docker_compose
+  pre_tasks:
+    - name: Install git
+      ansible.builtin.apt:
+        name: git
+        state: present
+    - name: Clone engelsystem repo
+      ansible.builtin.git:
+        repo: https://github.com/engelsystem/engelsystem.git
+        dest: "{{ ansible_user_dir }}/engelsystem"
+        version: main
+        force: true
+        update: false
diff --git a/playbooks/files/configs/engelsystem/compose.yaml b/playbooks/files/configs/engelsystem/compose.yaml
new file mode 100644
index 0000000..6fd1442
--- /dev/null
+++ b/playbooks/files/configs/engelsystem/compose.yaml
@@ -0,0 +1,49 @@
+---
+version: "3.6"
+services:
+  es_server:
+    image: es_server
+    build:
+      context: /home/chaos/engelsystem
+      dockerfile: /home/chaos/engelsystem/docker/Dockerfile
+    environment:
+      MYSQL_HOST: es_database
+      MYSQL_USER: engelsystem
+      MYSQL_PASSWORD: engelsystem
+      MYSQL_DATABASE: engelsystem
+      APP_NAME: CCCamp2023 Alternative Engelsystem
+      APP_URL: https://aes.ccchh.net
+      MAIL_DRIVER: smtp
+      MAIL_FROM_ADDRESS: aes@send-only-mail.ccchh.net
+      MAIL_HOST: send-only-mailserver.ccchh.net
+      MAIL_PORT: 465
+      MAIL_ENCRYPTION: tls
+      # MAIL_USERNAME and MAIL_PASSWORD are loaded from env file
+    env_file:
+      - engelsystem_secrets.env # Must be managed by the admin manually. Not managed by Ansible.
+    ports:
+      - "5080:80"
+    networks:
+      - database
+      - internet
+    depends_on:
+      - es_database
+  es_database:
+    image: mariadb:10.2
+    environment:
+      MYSQL_DATABASE: engelsystem
+      MYSQL_USER: engelsystem
+      MYSQL_PASSWORD: engelsystem
+      MYSQL_RANDOM_ROOT_PASSWORD: 1
+      MYSQL_INITDB_SKIP_TZINFO: "yes"
+    volumes:
+      - db:/var/lib/mysql
+    networks:
+      - database
+volumes:
+  db: {}
+
+networks:
+  database:
+    internal: true
+  internet:
diff --git a/playbooks/files/configs/engelsystem/nginx/aes.ccchh.net.conf b/playbooks/files/configs/engelsystem/nginx/aes.ccchh.net.conf
new file mode 100644
index 0000000..6110ea1
--- /dev/null
+++ b/playbooks/files/configs/engelsystem/nginx/aes.ccchh.net.conf
@@ -0,0 +1,42 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+    # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from 10.31.206.14;
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
+
+    server_name aes.ccchh.net;
+
+    ssl_certificate /etc/ansible_certs/certs/aes.ccchh.net/fullchain.pem;
+    ssl_certificate_key /etc/ansible_certs/certs/aes.ccchh.net/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/ansible_certs/certs/aes.ccchh.net/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Port 443;
+    # This is https in any case.
+    proxy_set_header X-Forwarded-Proto https;
+    # Hide the X-Forwarded header.
+    proxy_hide_header X-Forwarded;
+    # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
+    # is transparent).
+    # Also provide "_hidden" for by, since it's not relevant.
+    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+
+    location / {
+        proxy_pass http://127.0.0.1:5080/;
+    }
+}
diff --git a/playbooks/files/configs/public-reverse-proxy/nginx/nginx.conf b/playbooks/files/configs/public-reverse-proxy/nginx/nginx.conf
index 70336c6..64c4e38 100644
--- a/playbooks/files/configs/public-reverse-proxy/nginx/nginx.conf
+++ b/playbooks/files/configs/public-reverse-proxy/nginx/nginx.conf
@@ -18,6 +18,7 @@ stream {
     map $ssl_preread_server_name $address {
         wiki.ccchh.net 10.31.206.13:8443;
         id.ccchh.net 10.31.206.12:8443;
+        aes.ccchh.net 10.31.206.14:8443;
         default 127.0.0.1:8443;
     }